Hi team! As you may know, I've been trying to migrate the GitHub Actions runners over to Google Cloud. A few days ago, Jarek brought to my attention a few security issues (it looks like Jenkins doesn't suffer from these concerns) that would come up were I to use the version of the GA runners provided by GitHub.
There is a workaround that requires using a patched version of the original GA runners. A caveat here is that those Actions runners need to be executed on VMs instead of containers. As far as I know, in Beam we've prioritized ease of contribution (i.e. run the tests right away) over the concern of having arbitrary code come from a pull request. The way I see it, we have two options here: 1.- Proceed with the use of default GA runners on Google's Kubernetes engine (GKE) and allow everyone that creates a pull request to run the Java and Python tests, or 2.- Use the patched GA runners (which allows us to specify which contributors/accounts can execute Actions runners) and deploy them to VMs on Google Compute Engine; this in case we would like to restrict access in the future. What are your thoughts on this? Thanks for the input! - Fer -- *This email and its contents (including any attachments) are being sent to you on the condition of confidentiality and may be protected by legal privilege. Access to this email by anyone other than the intended recipient is unauthorized. If you are not the intended recipient, please immediately notify the sender by replying to this message and delete the material immediately from your system. Any further use, dissemination, distribution or reproduction of this email is strictly prohibited. Further, no representation is made with respect to any content contained in this email.*
